Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.

When the original story about the US-CERT vulnerability was posted, I remember thinking that it was really obvious that all it represented was a list of the reported vulnerabilities for the year. There was no commentary or statistics, and CERT made no claims about relative security of systems. It was just a pure, factual, list of what had been reported to them in the last year.

The original report even states that "Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported..."

So to see Red Hat complaining that "the study is confusing and misleading" seems really, really odd. It wasn't a study, it was just a factual list of the reports CERT received.

The fact is that insinuations about relative OS security came only from commentators, not CERT. Surely anything else is just opinion that people have chosen to layer on top of it?

I agree that there is always a danger that a list such as this one will be misinterpreted.

I'm just not sure how CERT could have done it differently. All they did was produce a factual list of vulnerabilities based on the information reported to them. It's just something that CERT does. They did the same thing last year, and maintain a running list as well: